Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of Respect increment value in grace period calculations (api/LifetimeWatcher) into release/1.8.x #14939

Closed
wants to merge 1 commit into from
Closed

Backport of Respect increment value in grace period calculations (api/LifetimeWatcher) into release/1.8.x #14939

wants to merge 1 commit into from

Conversation

hc-github-team-secure-vault-core
Copy link
Collaborator

Backport

This PR is auto-generated from #14836 to be assessed for backporting due to the inclusion of the label backport/1.8.x.

WARNING automatic cherry-pick of commits failed. Commits will require human attention.

The below text is copied from the body of the original PR.

Fixes: #14638

Background

api.LifetimeWatcher is a tool that helps to monitor and periodically renew expiring token or credential leases. It determines a grace period based on a given lease duration and attempts to renew the lease within the grace period. The callers of LifetimeWatcher can optionally specify Increment value in seconds, which is sent to the vault server and is meant to override the token's TTL value, if respected by the server.

The issue

This means that for long lived leases, a client cannot submit it's own increment value that is less than the leases grace period without triggering and immediate return (without sleeping).

Change

This PR will make sure that the grace period is calculated based on the minimum of the remaining lease duration & interval (if specified).

How was this tested

I added a short_increment_duration test renewer_test.go.

Additionally, I was able to successfully reproduce the issue in hello-vault-go. Before the fix, setting an increment value lower than the token's actual TTL resulted in an early renewal and the following error every time renew was called:

URL: PUT http://vault-server:8200/v1/sys/wrapping/unwrap
Code: 400. Errors:

* wrapping token is not valid or does not exist. If the AppRoleAuth struct was initialized with the WithWrappingToken LoginOption, then the secret ID's filepath should be a path to a response-wrapping token

When I built against this branch, the error disappeared and the renew period was updated to the increment value minus grace period as expected.

@hashicorp-cla
Copy link

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

temp seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA. If you already have a GitHub account, please add the email address used for this commit to your account.

Have you signed the CLA already but the status is still pending? Recheck it.

@vercel vercel bot temporarily deployed to Preview – vault April 6, 2022 17:05 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 6, 2022 17:05 Inactive
@averche averche closed this Apr 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@averche averche Awaiting requested review from averche

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@hc-github-team-secure-vault-core @hashicorp-cla @averche